- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![vtsguerrero vtsguerrero](https://community.splunk.com/legacyfs/online/avatars/228702.jpg)
I have four dashboard tables for 10am to 11am, from 11am to 12am, from 12am to 13am and one from 13am to 14am...
I need a time picker to change only the day of the search and keep these tables' one hour time windows... what's the easiest way I can set this search string or maybe use a text input to pass the date as $parameter$ ?
Thanks in advance!
Best regardss
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![somesoni2 somesoni2](https://community.splunk.com/legacyfs/online/avatars/100305.jpg)
Let the timepicker values to be used as earliestTime and latestTime for the each panel. Add following to your base searches.
your base search [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+10h") | eval latest=relative_time(info_min_time,"@d+11h")| return earliest,latest] | rest of the search
e.g. run anywhere sample.
<form>
<label>Multiple Time Picker</label>
<fieldset>
<input type="time" >
<label>TimePicker for SourceType</label>
<default>
<earliestTime>-15m</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
</fieldset>
<row>
<table>
<title>Sourcetypes 10 AM to 11 AM</title>
<searchString>index=_internal [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+10h")
| eval latest=relative_time(info_min_time,"@d+11h")| return earliest,latest] | timechart count by sourcetype
</searchString>
<option name="count">5</option>
</table>
</row>
<row>
<table>
<title>Sourcetypes 11 AM to 12 AM</title>
<searchString>index=_internal [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+11h")
| eval latest=relative_time(info_min_time,"@d+12h")| return earliest,latest] | timechart count by sourcetype
</searchString>
<option name="count">5</option>
</table>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![vtsguerrero vtsguerrero](https://community.splunk.com/legacyfs/online/avatars/228702.jpg)
My current query for this dashboard is :
Index=main ProductList=* Channel=$channel$ | stats count
I need to count the total per day per set time, so they are four totals individually by time :
10am total
11total
12total
13total
And use time picker only to change between days...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![somesoni2 somesoni2](https://community.splunk.com/legacyfs/online/avatars/100305.jpg)
Could you provide more details? Like your current query and expected output...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![vtsguerrero vtsguerrero](https://community.splunk.com/legacyfs/online/avatars/228702.jpg)
What's the correct syntax order if I need a stats count per day with fixed time settings too? The same query above but for a stats count over those intervals...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ppablo ppablo](https://community.splunk.com/legacyfs/online/avatars/225716.jpg)
@vtsguerrero no problem 🙂 I just wanted to make sure so you could get an accurate answer. Glad @somesoni2 found you a solution!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![vtsguerrero vtsguerrero](https://community.splunk.com/legacyfs/online/avatars/228702.jpg)
Thanks a lot, @somesoni2 it worked like a charm!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![somesoni2 somesoni2](https://community.splunk.com/legacyfs/online/avatars/100305.jpg)
Let the timepicker values to be used as earliestTime and latestTime for the each panel. Add following to your base searches.
your base search [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+10h") | eval latest=relative_time(info_min_time,"@d+11h")| return earliest,latest] | rest of the search
e.g. run anywhere sample.
<form>
<label>Multiple Time Picker</label>
<fieldset>
<input type="time" >
<label>TimePicker for SourceType</label>
<default>
<earliestTime>-15m</earliestTime>
<latestTime>now</latestTime>
</default>
</input>
</fieldset>
<row>
<table>
<title>Sourcetypes 10 AM to 11 AM</title>
<searchString>index=_internal [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+10h")
| eval latest=relative_time(info_min_time,"@d+11h")| return earliest,latest] | timechart count by sourcetype
</searchString>
<option name="count">5</option>
</table>
</row>
<row>
<table>
<title>Sourcetypes 11 AM to 12 AM</title>
<searchString>index=_internal [|gentimes start=-1|addinfo | eval earliest=relative_time(info_min_time,"@d+11h")
| eval latest=relative_time(info_min_time,"@d+12h")| return earliest,latest] | timechart count by sourcetype
</searchString>
<option name="count">5</option>
</table>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![vtsguerrero vtsguerrero](https://community.splunk.com/legacyfs/online/avatars/228702.jpg)
Works perfectly! Thankssss
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![vtsguerrero vtsguerrero](https://community.splunk.com/legacyfs/online/avatars/228702.jpg)
@Pablo_splunk
Yeah, sorry, I'm not really used to time differences ( Brazil here ) but that's what I meant, its a progression time where all events are, just need a day filter... ( sry if bad English here ) ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![vtsguerrero vtsguerrero](https://community.splunk.com/legacyfs/online/avatars/228702.jpg)
Simple XML Splunk 6.1
I'm currently using
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ppablo ppablo](https://community.splunk.com/legacyfs/online/avatars/225716.jpg)
@vtsguerrero
did you mean to put 11am to 12PM, 12PM to 13PM, and 13PM to 14PM? You put AM for each hour
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![somesoni2 somesoni2](https://community.splunk.com/legacyfs/online/avatars/100305.jpg)
What version of Splunk? Advanced xml or simple xml? If advanced xml, do you use Sideview Util? And if using Sideview Util, what is its version?
![](/skins/images/5D2DD17C284106BFBF80528D01D8AA1A/responsive_peak/images/icon_anonymous_message.png)